01:31:58bigpup3:bigpup3 has left #bitcoin-wizards
03:10:02bliljerk_:bliljerk_ is now known as bliljerk101
03:13:51PRab_:PRab_ is now known as PRab
03:25:20fanquake_:fanquake_ is now known as fanquake
06:33:23LarsLarsen:LarsLarsen has left #bitcoin-wizards
08:00:25fanquake_:fanquake_ is now known as fanquake
08:05:15wolfe.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:15wolfe.freenode.net:Users on #bitcoin-wizards: andy-logbot fanquake arubi p15x RoboTeddy jaekwon lclc b_lumenkraft hktud0 wallet42 p15 moa coiner Transisto [7] PaulCapestany bliljerk101 copumpkin bsm117532 adam3us mkarrer Dr-G dc17523b13 d1ggy_ koshii x98gvyn heath shesek spinza dignork AnotherVogon orik mengine_ Luke-Jr Adlai waxwing rustyn STRML pigeons GAit Starduster nsh samson_ sipa SDCDev xerox Emcy_ alferz justanotheruser Logicwax thrasher` harrow` huseby Pan0ram1x cluckj jgarzik
08:05:15wolfe.freenode.net:Users on #bitcoin-wizards: GreenIsMyPepper dgenr8 SubCreative forrestv lmacken JustAnotherVogon HM luny ryanxcharles grandmaster Xzibit17 hguux__ michagogo yrashk mariorz crowleyman gribble yoleaux deepcore go1111111 ebfull ajweiss pollux-bts espes__ melvster devrandom JonTitor null bedeho kyletorpey andytoshi amiller sl01 LeMiner binaryatrocity antgreen Cory airbreather gavinandresen cornus_ammonis kefkius maaku sneak SwedFTP aakselrod EasyAt larraboj gmaxwell
08:05:15wolfe.freenode.net:Users on #bitcoin-wizards: midnightmagic lnovy Iriez bosma face jonasschnelli berndj gabridome s1w Apocalyptic DoctorBTC AdrianG roasbeef jcorgan Tiraspol [d__d] kyuupichan NikolaiToryzin ahmed__ zz_betarigs_admi Visheate phedny yorick petertodd kanzure catcow Muis cfields Zouppen coryfields_ cryptowest_ kinlo crescendo wizkid057 otoburb wumpus phantomcircuit BlueMatt jaromil gwillen dasource fenn tromp eordano nickler Alanius BananaLotus guruvan ryan-c sdaftuar helo
08:05:15wolfe.freenode.net:Users on #bitcoin-wizards: Hunger- runeks null_radix epscy nanotube starsoccer comboy Taek BrainOverfl0w so MRL-Relay azariah btc___ throughnothing @ChanServ brand0 davout NeatBasis mr_burdell d9b4bef9 a5m0 Anduck CryptOprah leakypat TD-Linux K1773R indolering warptangent veox Eliel Graet jessepollak lechuga_ warren gnusha wiz jbenet mappum eric catlasshrugged Keefe Oizopower platinuum Krellan kumavis artifexd smooth isis dardasaba Fistful_of_Coins morcos dansmith_btc
08:05:15wolfe.freenode.net:Users on #bitcoin-wizards: cursive Meeh fluffypony optimator livegnik
11:08:16alliesenbub:alliesenbub has left #bitcoin-wizards
11:09:04crowleyman:crowleyman is now known as crwlymn
11:10:01alliesenbub:alliesenbub has left #bitcoin-wizards
12:59:26waxwing__:waxwing__ is now known as waxwing
13:15:57fanquake:fanquake has left #bitcoin-wizards
13:41:47crwlymn:crwlymn is now known as crowleyman
15:51:01waxwing__:waxwing__ is now known as waxwing
16:49:59gmaxwell:Heh: thermal sidechannels, http://www.wired.com/2015/03/stealing-data-computers-using-heat/
16:52:10kanzure:in practice i imagine that ends up like http://i57.servimg.com/u/f57/15/08/47/58/28310510.jpg
16:55:29Adlai:this isn't really 'sidechannel' in the same sense as a timing attacks... just another way of communicating between already compromised systems
16:56:49Adlai:the receiving computer can't detect anything that's not intentionally broadcast from the transmitter
16:58:04gmaxwell:Adlai: there is still actually a sidechannel there (it's just low enough capacity that its unlikely to be useful except intentionally).
16:59:32fluffypony:for those who've poked around with Darkcoin, did I miss anything major? http://www.reddit.com/r/Bitcoin/comments/2zufu1/a_great_podcast_by_lets_talk_bitcoin_discussing/cpmvogy?context=3
17:00:28fluffypony:(also my favourite comment in that thread is this one: "Maybe Bitcoin could implement some of the features, learn from what DRK is doing" - http://www.reddit.com/r/Bitcoin/comments/2zufu1/a_great_podcast_by_lets_talk_bitcoin_discussing/cpmxf62)
17:01:37gmaxwell:fluffypony: ask brisque when he's on, he knows more than most.
17:19:05rustyn_:rustyn_ is now known as rustyn
17:22:44dabura667:argh, I am going insane.
17:22:56fluffypony:* fluffypony sends dabura667 to a shrink
17:23:07dabura667:Anyone willing to look over my crappy BIP32 implementation in Python?
17:23:38dabura667:I can initialize ok, but deriving gives me incorrect values, and afaik I am throwing the right values into the hmac
17:23:51dabura667:but the correct privkey doesn't come out of the hmac
17:24:06sipa:the outout of the hmac is not the key
17:24:14dabura667:I know
17:24:18dabura667:the left 32 bits
17:24:28dabura667:oh wait
17:24:32dabura667:OHHH YEAH
17:24:39sipa:you still need to add the parent privkey
17:24:40dabura667:thanks for reminding me
17:24:58dabura667:I was going insane here. I knew it was something stupid like that. thanks.
17:28:50andytoshi:dabura667: fyi, in future, #bitcoin-dev is a better channel for implementation questions
17:29:26dabura667:ok thanks, I was under the impression it was only Core related
17:29:46dabura667:made a mental note
18:39:43nubbins`:fluffypony: dat misspelling of Colombia
18:42:37fluffypony:lol nubbins` I didn't even catch that
18:52:58MRL-Relay:[tacotime] this sounds a lot like the known sybil attacks
18:53:07MRL-Relay:[tacotime] thought it's neat that they quantitize them
19:05:00gmaxwell:gmaxwell is now known as Guest67686
21:06:42sipa:petertodd: until when are you in sf?
21:22:17Guest67686:Guest67686 is now known as gmaxwell
21:32:58fluffypony:lol andytoshi, now Reddit wants to know if we can implement adam3us' scheme now, like in the next week
21:33:19sipa:which scheme?
21:33:37fluffypony:sipa: https://bitcointalk.org/index.php?topic=972541.0
21:34:48MRL-Relay:[tacotime] what? why? it's nice but it's still O(n)
21:36:17fluffypony:tacotime: because logic. Remember that whole hoopla with the Microsoft Research paper on ring sigs? Every altcoin was going to implement "Chandran Signatures" and this would automagically make Monero meaningless
21:36:39sipa:altcoins? implement?
21:37:00MRL-Relay:[tacotime] well... i mean, pretty zany things are recommended by the general public for bitcoins each day in r/bitcoin, most of which are insane or not very useful.
21:37:13MRL-Relay:[tacotime] heh.
21:38:48fluffypony:sipa: this thing - https://www.stealth-coin.com/wp-content/uploads/Stealthsend_Whitepaper_brief0914.pdf
21:39:06fluffypony:they have an entire page on Chandran signatures
21:39:40fluffypony:they quickly backtracked on the idea after andytoshi and gmaxwell discussed it here
21:40:04fluffypony:hilarity ensued
22:10:30adam3us:bbut its O(n) instead of O(2n) :)
22:15:16andytoshi:fluffypony: lol, oh well. sometimes reddit pattern-matches to useful related research..
22:20:56adam3us:fluffypony: i had looked at the chandran et al paper. problem i have is its based on weil pairing and maybe some other assumptions. in the direction of but not as far as snark novel construction risk
22:23:14fluffypony:and it requires a trusted setup
22:23:46fluffypony:plus the verification time would be horrendous (it's bad enough in Monero as it is)
22:24:27gmaxwell:the verification time was linear in the ring size, IIRC.
22:25:30gmaxwell:fluffypony: I dunno if its changed but the implementation in monero I think was pretty performance braindamaged before.
22:25:52andytoshi:how practical (and plausibly secure) are zk accumulators?
22:26:18fluffypony:gmaxwell: nothing's changed, we still sigverify on one thread because logic
22:26:48fluffypony:* fluffypony sighs at the bits of the codebase nobody wants to touch
22:26:58adam3us:gmaxwell: that (verification time O(n) ) maybe hard to avoid short of snarks. it seems to me that you need to admit the possibility with fresh pseudo randomness that any signer could've signed and to prevent existential forgery so you need to bind all those values together so that there is at least one non-existential forgery
22:28:58gmaxwell:the forgery needs only be computationally infeasable though... so it's not obvious to me that the O(n) can't fundimentally be amoritized (and indeed the snark over a hash tree proof does that).
22:33:27adam3us:gmaxwell: yeah maybe. just not with the ideas i explored so far :) my criteria were to avoid any novel crypto though so thats constraining perhaps.
22:44:03amiller:andytoshi, by zk accumulators, you mean the RSA ones that zerocoin uses?
22:44:28andytoshi:amiller: yeah, a quick search suggests there aren't others out there
22:45:09amiller:there are, there are a) accumulators from generic snarks like zerocash uses, there are b) ones using bilinear groups but they have kind of worse setup costs
22:46:06andytoshi:oh ok, i saw "strong RSA" in the title and thought they might've been number theoretic :/
22:46:28petertodd:sipa: friday for sure, but maybe sooner - don't know yet
22:46:47sipa:ah, i'm coming to sf on wednesday
22:46:53amiller:andytoshi, i mean there are at least three kinds of accumulators, a) like in zerocash, b) using bilinear groups, c) like in zerocoin
22:47:00amiller:the last one is based on strong RSA assumption
22:47:06petertodd:sipa: cool, that's a maybe - not sure I'm in sf wed/thu/fri yet
22:47:40gmaxwell:andytoshi: the rsa like ones in theory can work in any additive cyclic group group with unknown order.
22:50:09amiller:andytoshi, this is the main citation for the RSA one, which zerocoin basically uses in tact http://link.springer.com/chapter/10.1007/3-540-45708-9_5#page-1
22:51:09amiller:gmaxwell, that surprises me, you can do some kinds of zero knowledge proofs in cyclic group groups with unknown order but not everything you need for a zk accumulator..
22:51:23andytoshi:ok, thx for the help guys. my usecase fell apart when i looked at it too closely but i'll keep this in mind..
22:55:45adam3us:speaking of RSA accumulators this shoup et al paper http://www.shoup.net/papers/subring.pdf has fixed size ring signature based on some small extension to the benaloh accumulator. but its not linkable.
22:58:21gmaxwell:amiller: could just be confirmation bias on my part. I don't off the top of my head have an argument to support that claim in a strong sense; but it was my cached result.
22:59:41amiller:gmaxwell, okay. the rsa accumulator is a little wonky, like you can only accumulate prime numbers
23:00:14amiller:zerocoin gets around that by just redrawing commitments over and over again until the commitment value iteslf is literally a prime number
23:00:33gmaxwell:yea, well you're trying to show knoweldge of a N-th root.